Company added to hacking lawsuit

Nov. 5, 2012

Written by

Staff writer

The private company hired by the state of South Carolina to monitor taxpayers’ sensitive personal data now is in the crosshairs of a lawsuit after it was revealed that the state used its services instead of its own, free protection.

“This is a huge development, because we learn for the first time that a large, multinational corporation had assumed the responsibility for securing this data,” Upstate attorney John Hawkins said in announcing his amended lawsuit against the state, which he hopes will be designated class-action status representing each of 3.6 million residents whose Social Security numbers have been compromised.

“This case is no longer just about suing state government,” Hawkins said. “It’s become much bigger.”

The company named in the suit, Chicago-based Trustwave, declined to comment on the legal action Monday.

Gov. Nikki Haley, who along with the Department of Revenue is a chief defendant, reiterated comments last week dismissing the suit.

“Nothing Mr. Hawkins does surprises the governor, nor does it change her statement from last week: There is a trial lawyer with a hand out and a tissue ready at any crisis,” Haley spokesman Rob Godfrey told GreenvilleOnline.com.

Hawkins, a former Republican senator who Haley campaigned against in June during his failed primary bid to reclaim his seat, alleged in his suit that Haley and the Department of Revenue didn’t “expeditiously” disclose the theft of 3.6 million Social Security numbers.

About 387,000 mostly encrypted credit and debit card numbers were part of the October theft that state officials said was the work of a foreign hacker who gained access through a compromised employee security code.

The State Budget and Control Board’s Division of State Information Technology also was added as a defendant on Monday.

The Department of Revenue said it used Trustwave’s services because they are accredited to meet industry standards that credit companies require for information protection.

The department on Oct. 20 enlisted the government protection used by dozens of state agencies, 10 days after it discovered the breach.

The suit asks for a court to determine whether the state is liable for a fine of up to $1,000 per person affected.